How a Fintech Achieved ISO 27001 and DORA Compliance in 6 Months

Confidentiality note: Company and individual names in this case study are fictitious to protect client confidentiality. Project data, timelines, metrics and results described are real and correspond to a project completed in 2026.

Company Context

NovaPay is a Spanish fintech founded in 2019, offering payment processing and open banking services for mid-size merchants. With 180 employees across Madrid and Lisbon, they process over 2 million monthly transactions for approximately 400 merchants in Spain and Portugal.

The Challenge

In January 2026, NovaPay faced two simultaneous regulatory deadlines:

• ISO 27001: Their main banking partner required the certification by September 2026 for all technology providers processing card data. Without it, NovaPay would lose a contract representing 35% of revenue.
• DORA: As a critical ICT service provider for financial entities, NovaPay fell under DORA scope, requiring documented ICT risk management, incident reporting and third-party oversight.

The team had 8 months, a 3-person security team with no certification experience, and a 45,000 EUR budget.

The Solution

Using Riskitera, the project was completed in three 2-month phases covering risk assessment, control implementation with dual ISO 27001/DORA mapping, automated evidence collection, SOC monitoring deployment, and staff training.

Results

The business impact included a renewed 3-year banking contract, two new clients in Portugal, and a 22% reduction in cyber insurance costs.